From c2839f859e6d257e37b98457494e14cc3d4fcbe4 Mon Sep 17 00:00:00 2001 From: Chris Wells Date: Thu, 26 Nov 2020 12:44:40 -0500 Subject: [PATCH] Use templates for configuring new jails. Allow user to override default templates. Closes #205. --- usr/local/etc/bastille/bastille.conf.sample | 7 + usr/local/share/bastille/bootstrap.sh | 2 + usr/local/share/bastille/create.sh | 128 ++++++++++-------- usr/local/share/bastille/template.sh | 4 +- .../templates/default/base/Bastillefile | 11 ++ .../templates/default/empty/Bastillefile | 0 .../templates/default/thick/Bastillefile | 4 + .../templates/default/thin/Bastillefile | 4 + .../templates/default/vnet/Bastillefile | 13 ++ 9 files changed, 118 insertions(+), 55 deletions(-) create mode 100644 usr/local/share/bastille/templates/default/base/Bastillefile create mode 100644 usr/local/share/bastille/templates/default/empty/Bastillefile create mode 100644 usr/local/share/bastille/templates/default/thick/Bastillefile create mode 100644 usr/local/share/bastille/templates/default/thin/Bastillefile create mode 100644 usr/local/share/bastille/templates/default/vnet/Bastillefile diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index e7bbf5dc..a47da946 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -48,3 +48,10 @@ bastille_decompress_xz_options="-c -d -v" ## default bastille_network_loopback="bastille0" ## default: "bastille0" bastille_network_shared="" ## default: "" bastille_network_gateway="" ## default: "" + +## Default Templates +bastille_template_base="default/base" ## default: "default/base" +bastille_template_empty="default/empty" ## default: "default/empty" +bastille_template_thick="default/thick" ## default: "default/thick" +bastille_template_thin="default/thin" ## default: "default/thin" +bastille_template_vnet="default/vnet" ## default: "default/vnet" diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 35ee66f9..9d4380b8 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -164,6 +164,7 @@ bootstrap_directories() { else mkdir -p "${bastille_templatesdir}" fi + ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default" fi ## ${bastille_releasesdir} @@ -304,6 +305,7 @@ bootstrap_template() { else mkdir -p "${bastille_templatesdir}" fi + ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default" fi ## define basic variables diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 141edfba..1be81266 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -326,71 +326,68 @@ create_jail() { ln -s usr/home home fi - ## rc.conf - ## + syslogd_flags="-ss" - ## + sendmail_enable="NO" - ## + sendmail_submit_enable="NO" - ## + sendmail_outbound_enable="NO" - ## + sendmail_msp_queue_enable="NO" - ## + cron_flags="-J 60" ## cedwards 20181118 - if [ ! -f "${bastille_jail_rc_conf}" ]; then - touch "${bastille_jail_rc_conf}" - sysrc -f "${bastille_jail_rc_conf}" syslogd_flags="-ss" - sysrc -f "${bastille_jail_rc_conf}" sendmail_enable="NO" - sysrc -f "${bastille_jail_rc_conf}" sendmail_submit_enable="NO" - sysrc -f "${bastille_jail_rc_conf}" sendmail_outbound_enable="NO" - sysrc -f "${bastille_jail_rc_conf}" sendmail_msp_queue_enable="NO" - sysrc -f "${bastille_jail_rc_conf}" cron_flags="-J 60" + ## TZ: configurable (default: Etc/UTC) + ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime - ## VNET specific - if [ -n "${VNET_JAIL}" ]; then - ## rename interface to generic vnet0 - uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//') - /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" "ifconfig_${uniq_epair}_name"=vnet0 + # Post-creation jail misc configuration + # Create a dummy fstab file + touch "etc/fstab" + # Disables adjkerntz, avoids spurious error messages + sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" - ## if 0.0.0.0 set DHCP - ## else set static address - if [ "${IP}" == "0.0.0.0" ]; then - /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" - else - /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}" - if [ -n "${bastille_network_gateway}" ]; then - /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="${bastille_network_gateway}" - else - /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="$(netstat -rn | awk '/default/ {print $2}')" - fi - fi - - ## VNET requires jib script - if [ ! "$(command -v jib)" ]; then - if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then - install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib - fi + ## VNET specific + if [ -n "${VNET_JAIL}" ]; then + ## VNET requires jib script + if [ ! "$(command -v jib)" ]; then + if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then + install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib fi fi fi - - ## resolv.conf (default: copy from host) - if [ ! -f "${bastille_jail_resolv_conf}" ]; then - cp -L "${bastille_resolv_conf}" "${bastille_jail_resolv_conf}" - fi - - ## TZ: configurable (default: Etc/UTC) - ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime else ## Generate minimal configuration for empty jail generate_minimal_conf fi - # Post-creation jail misc configuration - # Creates a dummy fstab file - # Disables adjkerntz, avoids spurious error messages # Set strict permissions on the jail by default - if [ -z "${EMPTY_JAIL}" ]; then - touch "etc/fstab" - sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" - fi chmod 0700 "${bastille_jailsdir}/${NAME}" + + # Jail must be started before applying the default template. -- cwells + bastille start "${NAME}" + + if [ -n "${VNET_JAIL}" ]; then + if [ -n ${bastille_template_vnet} ]; then + ## rename interface to generic vnet0 + uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//') + + _gateway='' + _ifconfig=SYNCDHCP + if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address. + _ifconfig="inet ${IP}" + if [ -n "${bastille_network_gateway}" ]; then + _gateway="${bastille_network_gateway}" + else + _gateway="$(netstat -rn | awk '/default/ {print $2}')" + fi + fi + bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" + fi + elif [ -n "${THICK_JAIL}" ]; then + if [ -n ${bastille_template_thick} ]; then + bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" + fi + elif [ -n "${EMPTY_JAIL}" ]; then + if [ -n ${bastille_template_empty} ]; then + bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" + fi + else # Thin jail. + if [ -n ${bastille_template_thin} ]; then + bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" + fi + fi + + # Apply values changed by the template. -- cwells + bastille restart "${NAME}" } # Handle special-case commands first. @@ -520,7 +517,7 @@ if [ -z "${EMPTY_JAIL}" ]; then fi ## check if interface is valid - if [ -n "${INTERFACE}" ]; then + if [ -n "${INTERFACE}" ]; then validate_netif validate_netconf else @@ -535,4 +532,27 @@ if [ -n "${NAME}" ]; then running_jail fi +# May not exist on deployments created before Bastille 0.7.20200714, so creating it. -- cwells +if [ ! -e "${bastille_templatesdir}/default" ]; then + ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default" +fi + +# These variables were added after Bastille 0.7.20200714, so they may not exist in the user's config. +# We're checking for existence of the variables rather than empty since empty is a valid value. -- cwells +if [ -z ${bastille_template_base+x} ]; then + bastille_template_base='default/base' +fi +if [ -z ${bastille_template_empty+x} ]; then + bastille_template_empty='default/empty' +fi +if [ -z ${bastille_template_thick+x} ]; then + bastille_template_thick='default/thick' +fi +if [ -z ${bastille_template_thin+x} ]; then + bastille_template_thin='default/thin' +fi +if [ -z ${bastille_template_vnet+x} ]; then + bastille_template_vnet='default/vnet' +fi + create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index 2f1e7a7e..80d7b9d9 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -232,13 +232,15 @@ for _jail in ${JAILS}; do continue ;; cmd) + # Escape single-quotes in the command being executed. -- cwells + _args=$(echo "${_args}" | sed "s/'/'\\\\''/g") # Allow redirection within the jail. -- cwells _args="sh -c '${_args}'" ;; cp|copy) _cmd='cp' # Convert relative "from" path into absolute path inside the template directory. -- cwells - if [ "${_args%${_args#?}}" != '/' ]; then + if [ "${_args%${_args#?}}" != '/' ] && [ "${_args%${_args#??}}" != '"/' ]; then _args="${bastille_template}/${_args}" fi ;; diff --git a/usr/local/share/bastille/templates/default/base/Bastillefile b/usr/local/share/bastille/templates/default/base/Bastillefile new file mode 100644 index 00000000..7418fba6 --- /dev/null +++ b/usr/local/share/bastille/templates/default/base/Bastillefile @@ -0,0 +1,11 @@ +ARG HOST_RESOLV_CONF=/etc/resolv.conf + +CMD touch /etc/rc.conf +SYSRC syslogd_flags="-ss" +SYSRC sendmail_enable="NO" +SYSRC sendmail_submit_enable="NO" +SYSRC sendmail_outbound_enable="NO" +SYSRC sendmail_msp_queue_enable="NO" +SYSRC cron_flags="-J 60" + +CP "${HOST_RESOLV_CONF}" etc/resolv.conf diff --git a/usr/local/share/bastille/templates/default/empty/Bastillefile b/usr/local/share/bastille/templates/default/empty/Bastillefile new file mode 100644 index 00000000..e69de29b diff --git a/usr/local/share/bastille/templates/default/thick/Bastillefile b/usr/local/share/bastille/templates/default/thick/Bastillefile new file mode 100644 index 00000000..37e450e6 --- /dev/null +++ b/usr/local/share/bastille/templates/default/thick/Bastillefile @@ -0,0 +1,4 @@ +ARG BASE_TEMPLATE=default/base +ARG HOST_RESOLV_CONF=/etc/resolv.conf + +INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}" diff --git a/usr/local/share/bastille/templates/default/thin/Bastillefile b/usr/local/share/bastille/templates/default/thin/Bastillefile new file mode 100644 index 00000000..37e450e6 --- /dev/null +++ b/usr/local/share/bastille/templates/default/thin/Bastillefile @@ -0,0 +1,4 @@ +ARG BASE_TEMPLATE=default/base +ARG HOST_RESOLV_CONF=/etc/resolv.conf + +INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}" diff --git a/usr/local/share/bastille/templates/default/vnet/Bastillefile b/usr/local/share/bastille/templates/default/vnet/Bastillefile new file mode 100644 index 00000000..92b76fc6 --- /dev/null +++ b/usr/local/share/bastille/templates/default/vnet/Bastillefile @@ -0,0 +1,13 @@ +ARG BASE_TEMPLATE=default/base +ARG HOST_RESOLV_CONF=/etc/resolv.conf + +INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}" + +ARG EPAIR +ARG GATEWAY +ARG IFCONFIG="SYNCDHCP" + +SYSRC ifconfig_${EPAIR}_name=vnet0 +SYSRC ifconfig_vnet0="${IFCONFIG}" +# GATEWAY will be empty for a DHCP config. -- cwells +CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi